January092008

Jump to: navigation, search

Liberty Alliance Project
ID Theft SIG
Conference Call
Meeting Notes
Wednesday, January 9, 2008
9:30 AM PT / 12:30 PM ET / 17:30 UTC
Author: Kurt Kolok

Attendees:

  • Bob Pinheiro, Chair (Individual Contributor)
  • Abhilasha Bhargav-Spantzel, Purdue University
  • Paul Biciunas, Fidelity Investments
  • Robin Wilton, Sun
  • Steve Bramson, Omnibranch
  • Eric Nelson, STS (Strategic Tech Solutions)
  • Kevin O’Neill, CYVA
  • Kurt Kolok, Liberty Staff

Following are the SIG’s achievements for 2007:

--Input into various Liberty papers: Open Standards, Contractual Framework for Circles of Trust, Identity Governance Framework

--Input into various other standards bodies work on Identity Management: ITU-T, ISO SC27, IDABC

--Initiated work in other parts of Liberty on: Citizen Dashboard, Authentication Assurance levels in SAML 2.0

Bob has proposed that we change the call time to 12 Noon instead of 12:30pm EDT in order to allow all to join.

Agreed: We will meet a half hour earlier ongoing.

Identity assurance and authentication.

IDPs have not yet figured out how to make money on identity assurance/authentication yet (they need a business model).

Who is in the Identity Assurance Expert Group? There is both an expert group and a SIG focused on identity assurance. Jane Hennessy (Wells Fargo) wrote a white paper on this because Wells Fargo believes there is business opportunity in this area.

Privacy

Kevin would probably be best to comment on this.

Robin: If a SIG does not have work items it would simply turn into a weekly chat.

There is a possibility that we could work with PPEG to develop a position paper.

Are there specific topics that would be relevant in working with PPEG? What things would we work on? Management of personal data and privacy. There is an interesting intersection between privacy requirements and identity requirements. Another would be forensics for data breaches (what could be done before the breach happens to avoid a breach to begin with).

Would this work find its way into Liberty specifications or would it be best handled through some other deliverable? Position papers would not necessarily require a new specification. If someone is working on an attribute provider implementation we could provide privacy and data minimization considerations which they may want to put into practice. CSIS produced a white paper voted out for release at the Tokyo meeting. Peter Lord is working on a launch event for this. The enterprise and consumer communities are focusing more on data breaches and forensics rather than identity assurance. They are focusing on how to determine that a breach has occurred and/or how is the data identified.

Robin: If anyone uses bogus records a red flag would go off if they visited a bank and tried to access account information on a bogus account. A domain managing multiple email accounts is an alternative to having multiple email addresses for different functions/events/purposes. We understand the basic principal and some of the issues that arise.

Who would be responsible for this type of document? We could start a page on a wiki with documents allowing anyone to contribute a paragraph, etc… Those drafts could then be edited into a complete document. Each page would need a nominal owner who would act as a monitoring editor. Then we find someone to do the document editing work.

Would we add different topics? Yes, they would be added within each ‘document/discussion’ on the wiki.

Steve: It seems like a lot of the problems are not really problems.

If the client device does not know the right IDP that is problematic. If someone stole an individual’s information then the individual whose identity was stolen would need to be asked who their IDP is. If that IDP cannot verify their identity then that is a problem.

The trust framework document that EAP produced was published and is currently awaiting comments. There are four assurance levels and for each there is some specification. We are talking about something stronger than assurance levels one and two. In the framework document there are recommendations for solutions (much of that delivered by NIST).

Robin: Colin Wallis (eGov SIG chair) is interested in the levels of assurance from the perspective of the New Zealand government. Schematics are difficult.

Bob: If you are talking about a bank giving out a credit card then the bank needs to make sure it is checking the correct person’s identity/information.

How do you get the relying parties to implement? Public policy comes into play because it is up to the government to set the rules. Any entity that establishes credit accounts has to have a written ID theft policy in place (identifying how they will prevent identity theft, how they will detect fake documents, etc…).

ACTION: Bob will put a list of topics on the wiki asking people to contribute that which they are able to.

Kevin: Would like to invite people to speak on a call re: privacy in other groups (ISO). The privacy manager for the state of California would be interesting to have on a call (Joan McNabb). Mari would also be someone to include as well.

ACTION: Steve knows Joan McNabb and will invite her to a conference call when/if the group decides to request her presence.

There is a law winding its way through Congress that would permit the ID theft victim to seek compensation from the perpetrator.

Kevin: We should invite someone involved in the privacy work in ISO (International Standards Organization).

ACTION: Kevin will identify someone that would be appropriate to invite to speak with us re: privacy work in ISO.

Retrieved from "http://wiki.projectliberty.org/index.php/January092008"
Personal tools